A sophisticated Python-based malware, dubbed BlankGrabber, is intensifying its assault on everyday users by employing a deceptive certificate loader to conceal a complex, multi-stage infection chain. First observed in 2023, this information stealer has evolved to pilfer a broad spectrum of sensitive data, including browser credentials, session tokens, saved passwords, clipboard contents, Wi-Fi passwords, cryptocurrency wallet information, and even captures screenshots and webcam feeds. Its modular nature allows for adaptable attacks, while its rapid development cycle enables it to bypass traditional security measures.
Recent analysis by Splunk researchers uncovered a BlankGrabber loader hosted on the Gofile[.]io file-sharing platform. This sample revealed an intricate mechanism where a seemingly innocuous certificate installation script was, in fact, a disguised multi-layer infection process. The loader leverages the legitimate Windows utility, certutil.exe, to decode what appears to be certificate data. However, this encoded content is a compiled Rust-based stager, designed to decrypt and launch the ultimate malicious payload.
Deceptive Infection Mechanism and Detection Evasion Tactics of BlankGrabber
The initial stage of the BlankGrabber infection often begins with a batch file loader. This loader utilizes certutil.exe to decode what is presented as certificate data. However, this encoded content is actually a compiled Rust stager responsible for the subsequent stages of the attack. Upon execution, the stager performs a series of environment checks. It meticulously compares the system’s drivers, usernames, and computer names against a predefined list of sandbox identifiers, such as “Triage,” “Zenbox,” and “Sandbox.” Should any of these indicators be detected, the malware terminates its execution to evade analysis.
If the stager confirms that the system is a genuine user machine and not a sandbox environment, it proceeds to drop a self-extracting RAR archive into the user’s %TEMP% folder. This archive contains two critical malicious components: the XWorm remote access client, named host.exe, and the BlankGrabber stealer itself, referred to as Knock.exe. To further camouflage its presence, the dropped executable is given a random name that mimics legitimate Windows processes, such as OneDriveUpdateHelper.exe or SteamService.exe.
The primary BlankGrabber payload is obfuscated by being packed using PyInstaller, which transforms the original Python script into a standalone executable file. Encapsulated within this package is an encrypted file identified as “blank.aes,” which harbors the actual malicious code. This encrypted file is decrypted at runtime using a custom AES-GCM algorithm, employing a hardcoded key and initialization vector.
Once decrypted, a second-stage script, named “stub-o.pyc,” emerges. This script employs multiple layers of obfuscation, including Base64 encoding, ROT13, and string reversal, making it more difficult for security tools to analyze. Furthermore, BlankGrabber actively works to disable Windows Defender’s real-time protection. This is often achieved through PowerShell commands, which also target and remove existing antivirus signatures.
To prevent victims from accessing security resources, the malware modifies the Windows hosts file, redirecting traffic destined for known security websites to the null address (0.0.0.0). For persistence, BlankGrabber ensures its payload automatically executes upon system reboot by placing a copy of its malicious code into the Windows startup folder.
Propagation Methods and Impact
BlankGrabber’s distribution primarily relies on social engineering and phishing tactics. Threat actors commonly spread the malware through convincingly disguised fake software downloads, often advertised as “cracked” versions of legitimate applications. Malicious archives are also shared on platforms like Discord, and fraudulent GitHub repositories are created to mimic legitimate software utilities. Once a user is tricked into running the infected file, the infection chain initiates silently in the background, navigating through its various obfuscation layers to remain undetected by security software.
The consequences of a successful BlankGrabber infection can be severe. Victims face the risk of losing access to their online accounts, including financial platforms and essential services. The theft of sensitive personal data can lead to identity theft and significant financial losses. The concurrent deployment of XWorm alongside BlankGrabber provides attackers with both persistent remote control over the compromised machine and the capability to exfiltrate data.
Security teams are advised to monitor for anomalous usage of certutil.exe, particularly when it is employed to decode data that is not ostensibly certificate-related. Unusual executions of WinRAR outside of its standard installation directory, PowerShell commands aimed at disabling Windows Defender, and unexpected DNS queries directed towards Telegram’s API or known file-sharing services are also potential indicators of compromise. Organizations should prioritize maintaining up-to-date system patches, implement strict policies to block access to unauthorized file-sharing websites, and enforce application allowlisting to significantly reduce their vulnerability to this evolving threat.